|
The Internet is going to be hell whenever they get hacked.
|
# ¿ Apr 7, 2016 07:10 |
|
|
# ¿ Apr 26, 2024 17:58 |
|
Antillie posted:ECDSA I would like to point out that the NIST curves everyone uses used some arbitrary value for the generator seed, so there's no telling if the NSA tampered with them or not. Until this draft becomes an RFC or TLS 1.3 comes out and Curve 25519 support becomes mainstream, you're better off using RSA.
|
# ¿ Apr 25, 2016 01:57 |
|
Also, I specifically mentioned Curve25519 as a response to that exact issue. The number it uses was chosen because it's the smallest number that performs well for its security level. It's already used in OpenSSH, and it will be in TLS 1.3 alongside the NIST curves.
|
# ¿ Apr 26, 2016 04:50 |
|
You know, most organizations I see constantly have prompts to update Acrobat Reader and Java and whatever. You can argue about antivirus all you want, but regardless, it's not the most important step in security.
|
# ¿ May 2, 2016 03:24 |
|
Seven million characteristics.
|
# ¿ May 5, 2016 18:43 |
|
So, Windows 10 just got updated, andZero VGS posted:Also, the update uninstalls Classic Shell. Thanks fuckfaces! Guess what simultaneously happened to Classic Shell's hosting provider: Klyith posted:
Microsoft makes good decisions, guys. Really. Also, don't download anything from FossHub, if it wasn't obvious enough.
|
# ¿ Aug 3, 2016 05:24 |
|
BangersInMyKnickers posted:lol Because then you wouldn't see the funny message and would instead get a cryptic error message from UEFI. SecureBoot doesn't stop you from wiping out the bootloader. Not running untrusted or unsigned applications as admin, staying up to date, and not doing stupid things to your partitions does. (This particular group didn't include a UEFI version because it was a waste of their time, but they could have done so trivially if they had the build environment set up.)
|
# ¿ Aug 3, 2016 17:34 |
|
Oh hey, it gets better!Softpedia posted:On Twitter, the hacker said he compromised the entire website, including the administrator's email. He also revealed he didn't dump the site's database but claimed that "passwords weren't salted." But that's no problem, because the developers would obviously use completely different passwords for every service they use! What could possibly go wrong?
|
# ¿ Aug 4, 2016 00:21 |
|
TheFluff posted:The point about allowing unicode made me recall this tangentially related hack: https://labs.spotify.com/2013/06/18/creative-usernames/ Unicode in passwords has kind of the opposite problem. Say you wanted to use the character 'ń' in your password. The problem is, there are two different 'ñ's: U+00F1 by itself (ń), and a U+006E followed by a U+0303 (ñ). They're semantically identical, but they will produce totally different hash values. While that's an easy problem to solve, there are a ton of edge cases in Unicode that can make passwords fail to match up. For instance, there's a modifier character for certain emoji that lets you change the skin color. Some systems could strip out that character, resulting in an entirely different password. For the Web in particular, you have to rely on browsers and servers using consistent and correct implementations of Unicode, or your users could get locked out when their browser updates. Double Punctuation fucked around with this message at 14:54 on Aug 19, 2016 |
# ¿ Aug 19, 2016 14:51 |
|
When comparing Linux with the NT kernel, I'd say Linux has a slight lead due to the LSMs and the monolithic architecture (less bad drivers, since there's less of a need for third-party drivers). Comparing Windows with OSs using Linux, I'd say Windows, primarily because Windows handles authorization based on what an application is trying to do, not what the application is. With Linux, you are either a user or an administrator, but you can run specific programs as an administrator even if you are a user. With Windows, you can hand out certain rights to users without giving them full administrative privileges in any application. Overall, though, they're fairly comparable, and it's more a matter of preference. Unless you're talking about GUIs, in which case, all I'll say is stay the gently caress away from X.Org as root. It's trash and has been for a decade. Wayland can't come fast enough.
|
# ¿ Aug 21, 2016 07:07 |
|
Absurd Alhazred posted:The latest SMBC is appropriate: https://www.youtube.com/watch?v=X4RuB3gT8t0
|
# ¿ Sep 10, 2016 08:00 |
|
Can't you forbid Windows from installing new drivers without administrator approval? There should be no reason you'd have drivers for an ethernet-over-USB device installed on a desktop in most work places.
|
# ¿ Nov 22, 2016 18:29 |
|
Just lock the computer in a case with some vent holes. Problem solved.
|
# ¿ Nov 22, 2016 19:12 |
|
Cup Runneth Over posted:This but unironically: 127.234.43.124 Great ping on that address. It's almost as if that machine is right next to me.
|
# ¿ Jan 13, 2017 18:51 |
|
cheese-cube posted:If I was Red Team and wanted to try and elevate privilege the first thing I would look for is a Scheduled Task configured to run a PowerShell script in the context of a privileged service account. Then I would see if I can edit the script referenced by the task. I'd reckon that 9/10 times the NTFS permissions on the .ps1 file would allow an unprivileged user to edit it. Depending on how privileged the service account is you can cause some serious havoc. To add to this: most software installation programs I've seen don't touch the permissions of their files. They just inherit whatever permissions are on the containing folder. If that folder isn't in Program Files, which many installers do to avoid spaces in the path, there are going to be problems, since permissions are very lenient on the drive itself. Real users can do just about anything to said files. If an installer takes the slightly more sane route of putting stuff in ProgramData, the users shouldn't be able to edit scripts. But they can add whatever files they want into the folder, including programs and DLLs. If the script calls programs without specifying the full path, and the task has set its working directory to the script's directory, then anybody can put a program with the same name as the command into the directory, and the script will run that program instead of the command it was trying to run.
|
# ¿ Feb 2, 2017 19:41 |
|
BangersInMyKnickers posted:Postscript is turing complete so you can load the code to calculate the hash in to memory, execute it, and have it parse its own file on the filesystem I don't think a GIF can execute code, though.
|
# ¿ Mar 8, 2017 19:01 |
|
skull mask mcgee posted:Should note that the reduction of trust will be a gradual change across several Chrome releases, so that 30% of the web has some time to get their poo poo together. That's for the validity periods. The main sanction is refusing to accept EV certificates as EV, which takes effect "immediately" (i.e. once the proposal gets accepted, the bug report gets made, and the pull requests go through, it will show up in Beta). If you aren't buying EV certificates, you might as well be using Let's Encrypt.
|
# ¿ Mar 31, 2017 07:43 |
|
ohgodwhat posted:Da, tovarisch, I am American who wants MAGA. Pozhalucta give Ukraine to Putin. Yup, looks legit. Looks like they're mostly exploits for vulnerabilities that have already been patched, so probably targeting intermediaries that never update their poo poo (read: every one of them). Oh, and a bunch of Solaris attacks because lol Oracle.
|
# ¿ Apr 9, 2017 15:18 |
|
I loving love Cloud To Butt right now.
|
# ¿ Apr 9, 2017 15:41 |
|
Thanks Ants posted:Randomly generate admin credentials when the product sticker is made (not derived from the MAC address, serial number etc.) use QR code in mobile app as part of setup process to set those credentials on the device. Advanced users can change it later if they want to. AT&T does the sticker thing for their routers. They don't have any symbols, but they're a reasonable length and are fairly random. Subjunctive posted:My vacuum (right?) has a fixed random password I was thinking about hand-pushed vacuums and trying to figure out why they would need a password. I'm getting old. Double Punctuation fucked around with this message at 21:28 on Apr 10, 2017 |
# ¿ Apr 10, 2017 21:26 |
|
“So what are we having for dinner today?” “Nice, succulent, slow-cooked cloud computing.”
|
# ¿ Apr 13, 2017 15:04 |
|
Oh my god, this one doesn't even have a dial. It's either the app or loving Alexa.
|
# ¿ Apr 13, 2017 23:23 |
|
If anyone is still doing evaluations, it would probably be a good idea to make sure the vendor isn't using extremely sensitive live data in its demos. (Source is WSJ, so I linked a summary due to the paywall.)
|
# ¿ Apr 19, 2017 22:25 |
|
Furism posted:So in the spirit of bashing IoT device makers, here's a new one (I think): https://www.pentestpartners.com/blog/iot-aga-cast-iron-security-flaw/ quote:9th April 2017 – Discovered that @Aga_official had blocked me on Twitter! "If we ignore the problem, maybe it will go away."
|
# ¿ Apr 20, 2017 09:57 |
|
Part of the problem is that's GeForce Experience, which is a notoriously lovely program that NVIDIA loves to bundle with their driver updates. Their custom build of Node is always out of date. I have never seen a release that hasn't set off PSI.
|
# ¿ Apr 22, 2017 21:18 |
|
ohgodwhat posted:Shagger: the linux subsystem LOL no. https://twitter.com/taviso/status/860681252034142208
|
# ¿ May 6, 2017 04:11 |
|
Best case scenario is it's Remote Assistance. Slightly worse is NTLM because gently caress NTLM for still existing.
|
# ¿ May 6, 2017 04:16 |
|
Rufus Ping posted:windows firewall windows defender
|
# ¿ May 6, 2017 04:45 |
|
What do I win?
|
# ¿ May 9, 2017 07:46 |
|
MS spent zero money on that patch because they already made it for POSready.
|
# ¿ May 13, 2017 14:22 |
|
Yeah, a local admin has to be tricked into opening a malicious file. But once that happens, say goodbye to your domain. This is why you don't give out admin privileges like candy. Also, you can show the command line in Task Manager by adding the "Command line" column to the Details pane. This shows you what DLL and function is being run through rundll32, so you can tell if it's malicious or not. Don't just go around killing every instance of rundll32 you see.
|
# ¿ Jun 27, 2017 22:07 |
|
Windows makes me want to defenestrate my computer.
|
# ¿ Jun 30, 2017 01:52 |
|
There should be a note about Let's Encrypt in the OP, besides the link with outdated text that says nothing about what it does. Never spend money on DV certificates.
|
# ¿ Jun 30, 2017 19:38 |
|
BangersInMyKnickers posted:Here come my terrible poasts: Serious question: Why are the lovely NIST curves still above 25519? Most of the RFCs for it are either published or in the queue.
|
# ¿ Jul 7, 2017 01:01 |
|
BangersInMyKnickers posted:The NIST curves are vetted and not exactly "lovely". 25519 has a strength roughly equivalent to P256 and when translating from asymm their comparable symm cipher would be AES128. Since the world is pretty well standardizing on AES256 since the overhead is proving a non-issue then you need equivalent strength key exchange. The problem with the NIST curves is there are no public design documents. The NSA already backdoored one algorithm, so it's possible they put a backdoor in the curves as well. I understand the concerns about strength. I guess we need to wait for X448 support for a better option.
|
# ¿ Jul 11, 2017 22:31 |
|
Good news, everyone! (This is officially going to take longer than the death of XP, which is still getting updates through that loving registry hack.)
|
# ¿ Jul 25, 2017 19:03 |
|
If you've actually committed a crime, maybe you shouldn't go to a convention that's about stopping the crime you committed.
|
# ¿ Aug 4, 2017 00:14 |
|
incoherent posted:government's case can't be that friggin strong if they let him back onto twitter. If they're competent, they'd have firewalled him and forced him to install a root certificate so they can watch everything he does.
|
# ¿ Aug 15, 2017 23:12 |
|
So a money hole then?
|
# ¿ Aug 20, 2017 17:54 |
|
|
# ¿ Apr 26, 2024 17:58 |
|
Fraud alerts are you putting a message on your credit report telling lenders to be suspicious of any attempts to get credit. It's up to the lenders to pay attention. It's generally free to do so. Freezes prevent access to your credit report, and anyone who needs it will automatically deny whatever they need it for. These usually cost money unless someone actually stole and used your identity, and the cost varies by state. Except Equifax's freeze process is apparently completely useless. Don't give them any money or sign up for anything through them.
|
# ¿ Sep 12, 2017 01:30 |